From 4f59c424dabfc69b7313d84685df68dd406d6ff9 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Fri, 12 Sep 2014 21:13:47 +0100 Subject: [PATCH 1/1] Fix needless OCSP request under DANE usage 3 and with require_ocsp in play though inactive --- doc/doc-docbook/spec.xfpt | 2 +- src/src/tls-openssl.c | 29 +++++++++++++++-------------- 2 files changed, 16 insertions(+), 15 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 28597c352..e5f307882 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -26309,7 +26309,7 @@ an identically named option for the &(smtp)& transport. In each case, the value of the option is expanded and must then be the name of a file that contains a CRL in PEM format. The downside is that clients have to periodically re-download a potentially huge -file from every certificate authority the know of. +file from every certificate authority they know of. The way with most moving parts at query time is Online Certificate Status Protocol (OCSP), where the client verifies the certificate diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 7d9ab8b4d..b77ed32e1 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1784,28 +1784,29 @@ tls_out.tlsa_usage = 0; #ifndef DISABLE_OCSP { +# ifdef EXPERIMENTAL_DANE + if ( tlsa_dnsa + && ob->hosts_request_ocsp[0] == '*' + && ob->hosts_request_ocsp[1] == '\0' + ) + { + /* Unchanged from default. Use a safer one under DANE */ + request_ocsp = TRUE; + ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} " + " {= {4}{$tls_out_tlsa_usage}} } " + " {*}{}}"; + } +# endif + if ((require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp, NULL, host->name, host->address, NULL) == OK)) request_ocsp = TRUE; else - { # ifdef EXPERIMENTAL_DANE - if ( tlsa_dnsa - && ob->hosts_request_ocsp[0] == '*' - && ob->hosts_request_ocsp[1] == '\0' - ) - { - /* Unchanged from default. Use a safer one under DANE */ - request_ocsp = TRUE; - ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} " - " {= {4}{$tls_out_tlsa_usage}} } " - " {*}{}}"; - } - else + if (!request_ocsp) # endif request_ocsp = verify_check_this_host(&ob->hosts_request_ocsp, NULL, host->name, host->address, NULL) == OK; - } } #endif -- 2.30.2